hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 04:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
71,783 Commits 1,741 Branches 166 Tags
39afb18ee4b553b0d7f57f311b309deae6fc94de
Commit Graph

71783 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Paolo Tranquilli
c6585b726a Rust: use common config for analysis 
Now that the nightly bundle has the default query set, we don't need a special
inline config.
 2024-10-31 16:44:07 +01:00
Jeroen Ketema
03ced1795a Merge pull request #17694 from jketema/multiple-entry-point 
C++: Do not generate IR for functions with multiple entry points
 2024-10-31 16:16:03 +01:00
Paolo Tranquilli
e5a199b821 Rust: accept test changes due to toString implementations 2024-10-31 16:02:56 +01:00
Rasmus Wriedt Larsen
61e60de969 JS: Model readline as a stdin threat-model source 
Technically not always true, but my assumption is that +90% of the time
that's what it will be used for, so while we could be more precise by
adding a taint-step from the `input` part of the construction, I'm not
sure it's worth it in this case.

Furthermore, doing so would break with the current way we model
threat-model sources, and how sources are generally modeled in JS... so
for a very pretty setup it would require changing all the other `file`
threat-model sources to start at the constructors such as
`fs.createReadStream()` and have taint-propagation steps towards the
actual use (like we do in Python)...

I couldn't see an easy path forwards for doing this while keeping the
Concepts integration, so I opted for the simpler solution here.
 2024-10-31 14:29:30 +01:00
Rasmus Wriedt Larsen
eca8bf5a35 JS: Do simple modeling of process.stdin as threat-model source 2024-10-31 14:26:45 +01:00
Paolo Tranquilli
cee2ed0ec4 Rust: extract some resolved paths 2024-10-31 14:19:15 +01:00
Rasmus Wriedt Larsen
34b86c39c1 JS: Model fs.promises.readFile as file source 
You could argue that proper modeling be done in the same way as
`NodeJSFileSystemAccessRead` is done for the callback based `fs` API (in
NodeJSLib.qll). However, that work is straying from the core goals I'm
working towards right now, so I'll argue that "perfect is the enemy of
good", and leave this as is for now.
 2024-10-31 14:09:38 +01:00
Rasmus Wriedt Larsen
971f53870e JS: Include fs externs 
Makes a difference due to the modeling of NodeJSFileSystemAccessRead depending on these, see
412e841d69/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll (L479-L488)

File copied from 7cef4322e7/javascript/externs/nodejs/fs.js
 2024-10-31 13:51:22 +01:00
Rasmus Wriedt Larsen
b47fa77dc6 JS: Add tests for stdin threat-model sources 2024-10-31 12:59:21 +01:00
Tom Hvitved
d0f9a0b9ce Rust: Add another unused-value test 2024-10-31 11:43:33 +01:00
Tom Hvitved
55a6ed7e8a Rust: Include link to variable in unused value query 2024-10-31 11:42:44 +01:00
Tom Hvitved
2b340b18dd Rust: Exclude results inside macro expansions from unused entity queries 2024-10-31 11:42:43 +01:00
Tom Hvitved
fec31a6da4 Rust: Include variable name in Unused{Variable,Value}.ql 2024-10-31 11:42:41 +01:00
Tom Hvitved
6b60865d7e Ruby: Do not distinguish between symbols and strings in hash keys 2024-10-31 11:42:09 +01:00
Tom Hvitved
2b37c6cd32 Merge pull request #17548 from hvitved/shared/inline-test-post-process 
Shared: Post-processing query for inline test expectations
 2024-10-31 11:40:11 +01:00
Tom Hvitved
f04a55ecb5 Ruby: Update hash extension tests 2024-10-31 11:00:33 +01:00
Jeroen Ketema
5e3748ac12 C++: Update expected test results 2024-10-31 10:57:12 +01:00
Jeroen Ketema
1a830cdf14 C++: Do not generate IR for functions with multiple entry points in different locations 2024-10-31 10:55:52 +01:00
Jeroen Ketema
8cfd19cf2f C++: Add multiple entry point test 2024-10-31 10:55:48 +01:00
Tom Hvitved
977eb05f31 Merge pull request #17879 from paldepind/rust-speculative-taint 
Rust: Add predicate for speculative taint step
 2024-10-31 10:17:48 +01:00
Simon Friis Vindum
00b8a29da7 Rust: Add predicate for speculative taint step 2024-10-31 09:09:39 +01:00
Simon Friis Vindum
b96698aee3 Merge pull request #17871 from paldepind/rust-data-flow-skeleton 
Rust: Add basic skeleton setup for data flow
 2024-10-31 08:26:11 +01:00
Tom Hvitved
c936468b17 Merge pull request #17739 from hvitved/dataflow/big-step-quadratic 2024-10-31 08:16:16 +01:00
Anders Schack-Mulligen
b556590ef8 Merge pull request #17663 from aschackmull/dataflow/speculative-flow 
Dataflow: Add support for speculative taint flow.
 2024-10-31 08:12:43 +01:00
Paolo Tranquilli
7e8a09aea1 Merge pull request #17825 from github/redsun82/rust-canonical-path 
Rust: add `extended_canonical_path` and `crate_origin` to `Item`
 2024-10-30 18:13:05 +01:00
Simon Friis Vindum
efa59fd2b6 Rust: Make changes based on PR feedback 2024-10-30 16:01:26 +01:00
Anders Schack-Mulligen
570b042645 Dataflow: Rename SpeculativeFlow to SpeculativeGlobal. 2024-10-30 15:23:15 +01:00
Anders Schack-Mulligen
9b493c1e1b Java: Fix bug related to null inference for pattern initializer. 2024-10-30 15:05:36 +01:00
Taus
2ef3ae9860 Python: Improve parser logging/timing/customisability 
Does a bunch of things, unfortunately all in the same place, so my
apologies in advance for a slightly complicated commit.

As for the changes themselves, this commit

- Adds timers for the old and new parsers. This means we get the overall
time spent on these parts of the extractor if the extractor is run with
`DEBUG` output shown.
- Adds logging information (at the `DEBUG` level) to show which
invocations of the parsers happen when, and whether they succeed or not.
- Adds support for using an environment variable named
`CODEQL_PYTHON_DISABLE_OLD_PARSER` to disable using the old parser
entirely. This makes it easier to test the new parser in isolation.
- Fixes a bug where we did not check whether a parse with the new parser
had already succeeded, and so would do a superfluous second parse.
 2024-10-30 13:58:46 +00:00
Anders Schack-Mulligen
b005973317 UniversalFlow: Skip property propagation to null nodes. 2024-10-30 14:08:38 +01:00
Taus
f75615b913 Merge pull request #17822 from github/tausbn/python-more-parser-fixes 
Python: A few more parser fixes
 2024-10-30 13:47:10 +01:00
Arthur Baars
0e511d640b Rust: avoid panics 
If:
* the text for a file_id is not found (likely non-utf data in file)
* path does not appear in Vfs, in which case we fall back on loading the file from disk with no "semantics" available
 2024-10-30 13:18:36 +01:00
Simon Friis Vindum
44bebedae6 Rust: Add basic skeleton setup for data flow 2024-10-30 13:16:26 +01:00
Tom Hvitved
495c92df38 Shared: Also take query ID into account in PathProblemSourceTestInput 2024-10-30 10:54:40 +01:00
Chris Smowton
2b678c97ab Merge pull request #17870 from charmander/patch-1 
Fix typo and grammar in InsecureCookie.qhelp
 2024-10-30 09:48:20 +00:00
Chris Smowton
5f31adc1f4 Update InsecureCookie.qhelp 
Gratuitous commit to nudge CI
 2024-10-30 09:34:49 +00:00
Tom Hvitved
ff9811b488 C#: Add tests for the inline test post-processor 2024-10-30 10:09:40 +01:00
Charmander
a97998811a Fix typo and grammar in InsecureCookie.qhelp 2024-10-30 07:29:20 +00:00
Paolo Tranquilli
4c73c6284e Merge pull request #17867 from github/dbartol/actions-build 
Add the Actions extractor to the build
 2024-10-30 05:48:41 +01:00
Dave Bartolomeo
b07642b585 Fix linting 2024-10-29 17:09:47 -04:00
Dave Bartolomeo
902a8bd847 Add Actions extractor to build 2024-10-29 16:54:37 -04:00
Dave Bartolomeo
3c9e19346c Update test expectations 2024-10-29 16:53:36 -04:00
Tom Hvitved
cc94c42f87 Address review comments 2024-10-29 20:36:16 +01:00
Ian Lynagh
b00bbc9ca2 Merge pull request #17731 from igfoo/igfoo/removeErasure 
Java/Kotlin: Remove the erasure dbscheme relation
 2024-10-29 14:21:57 +00:00
Rasmus Wriedt Larsen
2b6c27eb60 JS: Add initial file threat-model support 
However, as indicated by the `MISSING` annotations, we could do better.
 2024-10-29 15:14:39 +01:00
Rasmus Wriedt Larsen
3656864695 JS: Add database threat-model source modeling 2024-10-29 15:11:09 +01:00
Tom Hvitved
baeffa2345 Update rust/ql/test/query-tests/unusedentities/unreachable.rs 
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
 2024-10-29 15:00:09 +01:00
Anders Schack-Mulligen
8b5756526c Update python/ql/test/experimental/library-tests/CallGraph/InlineCallGraphTest.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2024-10-29 13:57:27 +01:00
Tom Hvitved
dd520fea47 Rust: Post-processing query for inline test expectations 2024-10-29 13:37:04 +01:00
Tom Hvitved
1259b7e8e7 JS: Post-processing query for inline test expectations 2024-10-29 13:35:38 +01:00